What is Session?
HTTP is known as a stateless protocol. which means that the webserver does not care multiple requests come from the same user. In other words you can say that HTTP don’t remember anything when the execution is finished. After a TCP/IP three-way handshake is completed, a session is created which is used to create a state in between requests even when they occur after weeks from each other.
Sessions are maintained by passing a unique session identifier between requests typically in a cookie (which usually resides in webserver’s file system). Session can also be passed in forms and query arguments. PHP handles sessions transparently through a combination of cookies and URL rewriting, when session.use_trans_sid is turned on in php.ini (it is off by default in PHP5) by generating a unique session ID and using it track a local data store (by default, a file in the system’s temporary directory in my case /tmp/) where session data is saved at the end of every request.
Caution: session_start() must be called before any output is sent to the browser, because it will try to set a cookie by sending a response header.
Session Security
Most of the other attacks like XSS, CSRF etc could be prevented by filtering input and escaping output, but session attacks cannot. Rather it is necessary to plan for them and identify potential problem areas of your application.
Two notorious forms of session attacks are session fixation and session hijacking.
No comments:
Post a Comment